sitespeed.tf

# Configure the AWS Provider
provider "aws" {
  access_key = "${var.aws_access_key}"
  secret_key = "${var.aws_secret_key}"
  region = "${var.aws_region}"
}

# Create a new IAM user
resource "aws_iam_user" "build_pipeline_user" {
  name = "build_pipeline_user"
}

# Create IAM access key for the new user
resource "aws_iam_access_key" "build_pipeline_user_key" {
  user = "${aws_iam_user.build_pipeline_user.name}"
}

# Create the SNS topics
resource "aws_sns_topic" "provision-topic" {
  name = "edx-pipeline-provision-topic"
}
resource "aws_sns_topic" "sitespeed-topic" {
  name = "edx-pipeline-sitespeed-topic"
}

# Create the SQS queues, including giving permission to
# the SNS topics to send messages to the queue
resource "aws_sqs_queue" "provision-queue" {
  name = "${var.provision_queue_name}"
  delay_seconds = "${var.queue_delay_seconds}"
  max_message_size = "${var.queue_max_message_size}"
  message_retention_seconds = "${var.queue_message_retention_seconds}"
  receive_wait_time_seconds = "${var.queue_receive_wait_time_seconds}"
  policy = <<EOF
{
  "Version":"2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "SQS:SendMessage",
      "Principal": "*",
      "Resource": "${format("arn:aws:sqs:%s:%s:%s", var.aws_region, var.aws_account_id, var.provision_queue_name)}",
      "Condition": {
        "ArnEquals": {
          "aws:SourceArn": "${aws_sns_topic.provision-topic.arn}"
        }
      }
    }
  ]
}
EOF
}

resource "aws_sqs_queue" "sitespeed-queue" {
  name = "${var.sitespeed_queue_name}"
  delay_seconds = "${var.queue_delay_seconds}"
  max_message_size = "${var.queue_max_message_size}"
  message_retention_seconds = "${var.queue_message_retention_seconds}"
  receive_wait_time_seconds = "${var.queue_receive_wait_time_seconds}"
  policy = <<EOF
{
  "Version":"2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "SQS:SendMessage",
      "Principal": "*",
      "Resource": "${format("arn:aws:sqs:%s:%s:%s", var.aws_region, var.aws_account_id, var.sitespeed_queue_name)}",
      "Condition": {
        "ArnEquals": {
          "aws:SourceArn": "${aws_sns_topic.sitespeed-topic.arn}"
        }
      }
    }
  ]
}
EOF
}

# Subscribe the SQS queues to the SNS topics
resource "aws_sns_topic_subscription" "provision-subscription" {
  topic_arn = "${aws_sns_topic.provision-topic.arn}"
  protocol  = "sqs"
  endpoint  = "${aws_sqs_queue.provision-queue.arn}"
}
resource "aws_sns_topic_subscription" "sitespeed-subscription" {
  topic_arn = "${aws_sns_topic.sitespeed-topic.arn}"
  protocol  = "sqs"
  endpoint  = "${aws_sqs_queue.sitespeed-queue.arn}"
}

# Allow the IAM user to publish to the SNS topics
# and to read and delete from the SQS queues.
# Jenkins and the build-trigger heroku app will be
# configured to use its key.
resource "aws_iam_user_policy" "user-pipeline-policy" {
  name = "${var.environment}-${var.deployment}-${var.service}-sender"
  user = "${aws_iam_user.build_pipeline_user.name}"
  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sns:Publish"
      ],
      "Resource": "${aws_sns_topic.provision-topic.arn}"
    },
    {
      "Effect": "Allow",
      "Action": [
        "sqs:ReceiveMessage",
        "sqs:DeleteMessage"
      ],
      "Resource": "${aws_sqs_queue.provision-queue.arn}"
    },
    {
      "Effect": "Allow",
      "Action": [
        "sns:Publish"
      ],
      "Resource": "${aws_sns_topic.sitespeed-topic.arn}"
    },
    {
      "Effect": "Allow",
      "Action": [
        "sqs:ReceiveMessage",
        "sqs:DeleteMessage"
      ],
      "Resource": "${aws_sqs_queue.sitespeed-queue.arn}"
    }
  ]
}
EOF
}

# Output the AWS key and secret for the new user to the console.
# Note that it will also be available in the terraform.tfstate file.
output "key" {
    value = "${aws_iam_access_key.build_pipeline_user_key.id}"
}
output "secret" {
    value = "${aws_iam_access_key.build_pipeline_user_key.secret}"
}